- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- run new search based on row-value and get the resu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following table of results
|trkid | values |
|123 | a |
|124 | b |
|125 | d |
But i need based on the trkid row-value, run a new search and show the results in a new column and get the following
|trkid | values | new_col |
|123 | a | 1 | ----> this value is the result of using the trkid value in another search. Example: [search trkid=123 | stats count as new_col]
|124 | b | 1 | ----> this value is the result of using the trkid value in another search. Example: [search trkid=124 | stats count as new_col]
|125 | d | 3 |----> this value is the result of using the trkid value in another search. Example: [search trkid=125 | stats count as new_col]
It is possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you're wanting to add a new column to the end of your existing results based on the results you already have?
i would try to first just go with:
basesearch...|eventstats count by trkid
but you can also use appendpipe if you're trying to limit which trkid value to count:
basesearch...|appendpipe [search trkid=125 | stats count as new_col]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
index=foo [search index=foo...your current search giving results with field trkid and values | stats count by trkid | table trkid] | stats count as new_col by trkid
| append [search index=foo...your current search giving results with field trkid and values ]
| stats values(values) as values(new_col) as new_col by trkid
Can provide better representation if we have your current full query (and other query that you want to run based on trkid).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you're wanting to add a new column to the end of your existing results based on the results you already have?
i would try to first just go with:
basesearch...|eventstats count by trkid
but you can also use appendpipe if you're trying to limit which trkid value to count:
basesearch...|appendpipe [search trkid=125 | stats count as new_col]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And, if you want to add the results of different searches to your results, then there are more options.
Append -
(your existing search)
| table trkid myvalues
| append [index=foo your new search | stats count as new_col by trkid]
| stats values(*) as * by trkid
| table trkid myvalues new_col
Join -
(your existing search)
| table trkid myvalues
| join type=left trkid [index=foo your new search | stats count as new_col by trkid]
| fillnull value=0 new_col
| table trkid myvalues new_col
Map -
(your existing search)
| table trkid myvalues
| map search="search index=foo trkid2=$trkid$ | your calculations | eval myvalues=\"$myvalues$\""
| table trkid myvalues new_col
MANY more options...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
